Summary of the invention
For solving the deficiencies in the prior art, the object of the present invention is to provide a kind of comprehensive, accuracy and adaptability, the alarm correlation analysis system based on alarm propagation pattern being convenient to promotion and implementation and the analytical method thereof that effectively can improve alarm correlation analysis.
For achieving the above object, the present invention is achieved by the following technical solutions:
Based on an alarm correlation analysis system for alarm propagation pattern, it is characterized in that, comprising:
Combine network configuration database, directed graph (the directive connection layout of tool) model information and event tree pattern database, and specifically perform the analytic operation unit that the relevance algorithms of alarm is analyzed;
For the information memory cell of memory dependency analysis engine program file, network configuration database, Directed Graph Model information and event tree pattern database;
For realizing the collection to the alarm on multiple communication network, and the data acquisition unit realized the normalization conversion of warning content and form and pretreatment unit;
The result form analyzed for concrete organizational relationship and content, provide concrete analysis foundation, process and result, provide the output unit of the output contents such as Root alarm for outside display system;
With provide RMI input interface and instrument, in order to network configuration information concrete in input system, as building based on the input unit of the basic data of the directed graph of alarm propagation pattern.
Wherein, described network configuration database is a kind of network configuration information, database containing specific configuration information of being formed in conjunction with manual typing mode of being gathered by collecting unit.
Described Directed Graph Model information in order to store physics and logical node relation in single EMS, comprises the model information of board, PTP and CTP and the span line between them, passage, intersection and inclusion relation for a kind of.
Described event tree pattern database manually typing and the pattern database containing concrete event tree pattern and policy information that formed.
And described analysis engine program file is that one is in conjunction with network configuration database structure Directed Graph Model, and after alarm is normalized, packet transaction is carried out to alarm, the pattern of mating with Directed Graph Model is used to carry out alert analysis, with event tree pattern, assistant analysis is carried out to the successful alarm of analysis, the final file exporting the correlation analysis result containing Root alarm.
Based on an alarm correlation analysis method for alarm propagation pattern, it is characterized in that, comprise the following steps:
A. by EMS, the logic in network and physical node are divided into multiple groups, for each group, adopt directed graph to describe dependence as alarm propagation between the logic of alarm source and physical node;
B. the process in a unified format all alarms are normalized and conversion;
C. alarm is navigated on each node on directed graph, obtain the incidence relation between alarm by the annexation found between node;
D. judge the correlation of alarm according to incidence relation, release root alarm.
The construction method of the directed graph described in steps A is:
1. for each group, from the EMS of correspondence, obtain physics and logical node and form the node of directed graph, wherein, described physics and logical node comprise: board, port, high-order time slot and low order time slot;
2. unidirectional line is built according to the inclusion relation between each node: comprise port and point to board, 2M port points to low order time slot, and low order time slot points to high-order time slot, and high-order time slot points to optical port;
3. two-way line is built according to the coordination between each node: comprise the direct span line of port, with the expanding channels between the interconnection of time slot between network element and different network elements.
The concrete grammar obtaining the incidence relation between alarm by the annexation found between node described in step C is: the layer speed height comparing two nodes, the high node of layer speed is searched from layer speed low, for the node that layer speed is identical, mutually for starting point searches another node.
And the concrete determination methods of release root alarm described in step D is:
1. layer speed is identical, two-wayly reaches or is two-wayly unreachablely designated as peer;
2. layer speed is identical, unidirectionally reaches, and terminating point rank is high;
3. layer speed is different, low to highly reaches, and the rank that layer speed is high is high;
4. layer speed is different, low to high unreachable, is designated as note at the same level;
What 5. rank was high is Local Root alarm, and what rank was low is derivative alarm;
What 6. alarm severity level at the same level was high is Local Root alarm;
7. at the same level and severity level is identical alarm searches root alarm by event tree;
8. event tree also be can not determine, be then labeled as Local Root alarm simultaneously.
The invention has the beneficial effects as follows: the present invention efficiently solves the problem that prior art can not carry out alarm correlation analysis comprehensively, and enhance the accuracy of alarm correlation analysis, high efficiency and adaptability, and reduce O&M cost and operation easier, very be convenient to promotion and implementation, be especially applicable to the use habit of current day by day complicated network condition and user.
Embodiment
Below in conjunction with the drawings and specific embodiments, concrete introduction is done to the present invention.
The workflow diagram of Fig. 1 one embodiment of the invention; The system construction drawing of Fig. 2 one embodiment of the invention.
As depicted in figs. 1 and 2: a kind of alarm correlation analysis system based on alarm propagation pattern, comprising:
Combine network configuration database, Directed Graph Model information and event tree pattern database, and specifically perform the analytic operation unit that the relevance algorithms of alarm is analyzed;
For the information memory cell of memory dependency analysis engine program file, network configuration database, Directed Graph Model information and event tree pattern database;
For realizing the collection to the alarm on multiple communication network, and the data acquisition unit realized the normalization conversion of warning content and form and pretreatment unit;
The result form analyzed for concrete organizational relationship and content, provide concrete analysis foundation, process and result, provide the output unit of the output contents such as Root alarm for outside display system;
With provide RMI input interface and instrument, in order to network configuration information concrete in input system, as building based on the input unit of the basic data of the directed graph of alarm propagation pattern.
Wherein, described network configuration database is a kind of network configuration information, database containing specific configuration information of being formed in conjunction with manual typing mode of being gathered by collecting unit.
Described Directed Graph Model information in order to store physics and logical node relation in single EMS, comprises the model information of board, PTP and CTP and the span line between them, passage, intersection and inclusion relation for a kind of.
Described event tree pattern database manually typing and the pattern database containing concrete event tree pattern and policy information that formed.
And described analysis engine program file is that one is in conjunction with network configuration database structure Directed Graph Model, and after alarm is normalized, packet transaction is carried out to alarm, the pattern of mating with Directed Graph Model is used to carry out alert analysis, with event tree pattern, assistant analysis is carried out to the successful alarm of analysis, the final file exporting the correlation analysis result containing Root alarm.
Fig. 5 is alarm correlation analysis process chart of the present invention.
As shown in Figure 5: a kind of alarm correlation analysis method based on alarm propagation pattern, concrete steps are:
A. by EMS, the logic in network and physical node are divided into multiple groups, for each group, adopt directed graph to describe dependence as alarm propagation between the logic of alarm source and physical node;
The present invention is based on the basis of the system modelling of communication network management---configuration information divides according to affiliated EMS by the thought of layering and segmentation, the directed graph each EMS being built separately to a physics and logical node relation represents configuration information and relation thereof, and is that each EMS starts a computational threads in order to analyze the alarm correlation of EMS inside generation.
Wherein, the construction method of described directed graph is:
1. for each group, from the EMS of correspondence, obtain physics and logical node and form the node of directed graph, wherein, described physics and logical node comprise: board, port, high-order time slot and low order time slot;
2. unidirectional line is built according to the inclusion relation between each node: comprise port and point to board, 2M port points to low order time slot, and low order time slot points to high-order time slot, and high-order time slot points to optical port;
3. two-way line is built according to the coordination between each node: comprise the direct span line of port, with the expanding channels between the interconnection of time slot between network element and different network elements.
Use adjacency matrix to represent and often open directed graph, logical construction is divided into two parts: the set of V and E.Therefore, all vertex datas in figure are deposited by an one-dimension array; The data of relation between summit (limit or arc) are deposited with a two-dimensional array.
Fig. 3 is the exemplary system figure of a looped network SDH system of the present invention and chain SDH composition; Fig. 4 is the basic communication mode schematic diagram of alarm of the present invention.
As shown in Figure 3: below for one unidirectional comprise the system of a looped network SDH system and chain SDH composition the basic communication mode of SDH alarm is described.For above-mentioned system basic alarm communication mode then as shown in Figure 4.
In above-mentioned two width figure, adopting the directive connection layout of tool (directed graph) to describe may as the dependence of alarm propagation between the logic of alarm source and physical points, so just the incidence relation between alarm is converted into the annexation figure between node in alarm propagation pattern and node.The incidence relation between alarm is obtained by the searching of the relation of the connection between node.Wherein: four-headed arrow, represent coordination, span line, transmission channel generally is two-way; Unidirectional arrow, represents inclusion relation, arrow points root node
Step B: the process in a unified format all alarms are normalized and conversion.
The present invention is received by alarm, form the basic data of carrying out in EMS needed for alarm correlation analysis, determine and adopt unified alarm data content and the division methods of form, each network alarm field is reduced, by the format conversion that alarm required attribute information (as: alarm object, alarm name, alarm time, alarm grade etc.) is normalized.
By normalized and the conversion of this step, the standardization alarm information formats obtained is as follows:
Alarm attributes field |
Content is illustrated |
Unique ID of alarm |
As UUID: " CA4B883AAAB043D28C87406DB4EDD0CB " |
Alarm name |
As " 622M port [#1]: R_LOS alarm " |
Alarm place EMS title |
As " Huawei T2000 " |
Alarm place EMS ID |
As UUID: " d4aa9194156340e38b05477275e10529 " |
Alarm type identifier |
As " communication alarm " |
Alarm grade |
As " high severity alarm " or " Severity " |
The alarm network element time |
As " 2011-02-27 12:09:41 " |
Alarm cause |
As " R_LOS " |
There is the resource type of alarm |
As " port " |
There is the resource of alarm |
As " 622M port [#1] " |
Step C: alarm navigated on each node on directed graph, obtains the incidence relation between alarm by the annexation found between node.
The concrete grammar obtaining the incidence relation between alarm by the annexation found between node described in step C is: the layer speed height comparing two nodes, the high node of layer speed is searched from layer speed low, for the node that layer speed is identical, mutually for starting point searches another node.
Concrete steps are as follows:
1) the EMS information belonging to alarm adds in corresponding buffer memory, and to save in time window all does not analyze alarm and Local Root alarm for buffer memory.Analysis thread is postponed and is deposited middle reading two alarm a and b, and alarm is navigating on the interdependent node of directed graph by the resource according to there is alarm;
2) the layer speed of resource belonging to resource belonging to a and b is judged, if the layer speed of resource belonging to a is greater than the layer speed of resource belonging to b, with b place node for start node searches a place node; If the layer speed of resource belonging to a equals the layer speed of resource belonging to b, first with a place node for start node searches b place node, then with b place node for start node searches a place node;
3) concrete lookup algorithm is as follows: if 1. two node rate are identical, uses width first traversal, width first traversal (Breadth-First-Search), also known as doing breadth-first search, or breadth-first search, being called for short BFS, is a kind of graphic searching algorithm.Briefly, BFS is from root node, along the node of the width traverse tree of tree, if find target, then calculates termination; If 2. two nodes are with network element different rates, use depth-priority-searching method, a. chooses a certain summit V in figure
isend out for starting point and search V
e, access and mark this summit; B. with V
ifor current vertex, search for V successively
ieach abutment points V
jif, V
jbe not equal to V
e, then with V
jfor current vertex repeats step b, if V
jequal V
e, then represent and find V
e; If 3. two node different network elements different rates, first use depth-priority-searching method finds the node with destination node same rate in same network element, then with this node for summit uses width first traversal to search destination node; 4. special, when traversal terminates or traverse node number exceedes that to specify step value to be then labeled as two nodes unreachable.
Step D: the correlation judging alarm according to incidence relation, releases root alarm.
And the concrete determination methods of release root alarm described in step D is:
The figure matching result drawn according to step C judges the correlation of alarm, 1. layer speed is identical two-wayly reaches, what alarm level was high is root alarm, low is derivative alarm, the words that alarm level is identical, determine root alarm by event tree, that cannot determine is all labeled as Local Root alarm by two alarms, waits for and other alert analysis correlations.2. layer speed is identical two-way unreachable, and two alarms are all labeled as Local Root alarm, waits for and other alert analysis correlations.3. layer speed is identical, unidirectionally reaches, and the alarm that terminating point level occurs is root alarm, and the alarm that start node occurs is derivative alarm; 4. layer speed is different, low to highly reaches, and the alarm that the node that layer speed is high occurs is root alarm, and another alarm is derivative alarm; 5. layer speed is different, and low to high unreachable, two alarms are all labeled as Local Root alarm, waits for and other alert analysis correlations; 6. derivative alarm deleted from alarm list, Local Root alarm continues to put into list and waits for lower whorl analysis, and Local Root alarm will be deleted after reaching time window from alarm list buffer memory, analyzes and terminates.
Other concrete technology of the method for the invention and system describe the description need consulting appropriate section in the above-mentioned explanation of the present invention in detail, are not repeated.
Above-described embodiment does not limit the present invention in any form, the technical scheme that the mode that all employings are equal to replacement or equivalent transformation obtains, and all drops in protection scope of the present invention.